    aesni: Avoid modifying session keys in hmac_update()
    
    Otherwise aesni_process() is not thread-safe for AES+SHA-HMAC
    transforms, since hmac_update() updates the caller-supplied key directly
    to create the derived key.  Use a buffer on the stack to store a copy of
    the key used for computing inner and outer digests.
    
    This is a direct commit to stable/12 as the bug is not present in later
    branches.
    
    Reviewed by:    kib
    Differential Revision:  https://reviews.freebsd.org/D30001
    
    (cherry picked from commit 62e32cf9140e6c13663dcd69ec3b3c7ca4579782)
--- sys/crypto/aesni/aesni.c.orig
+++ sys/crypto/aesni/aesni.c
@@ -655,10 +655,10 @@
 {
 	size_t i;
 
-	for (i = 0; i < 64; i++)
+	for (i = 0; i < AESNI_SHA_BLOCK_LEN; i++)
 		key[i] ^= xorbyte;
-	update(ctx, key, 64);
-	for (i = 0; i < 64; i++)
+	update(ctx, key, AESNI_SHA_BLOCK_LEN);
+	for (i = 0; i < AESNI_SHA_BLOCK_LEN; i++)
 		key[i] ^= xorbyte;
 
 	crypto_apply(crpflags, __DECONST(void *, buf), off, buflen,
@@ -883,6 +883,7 @@
 		struct SHA256Context sha2 __aligned(16);
 		struct sha1_ctxt sha1 __aligned(16);
 	} sctx;
+	uint8_t hmac_key[AESNI_SHA_BLOCK_LEN] __aligned(16);
 	uint32_t res[SHA2_256_HASH_LEN / sizeof(uint32_t)];
 	int hashlen, error;
 	void *ctx;
@@ -946,15 +947,16 @@
 	}
 
 	if (hmac) {
+		memcpy(hmac_key, ses->hmac_key, AESNI_SHA_BLOCK_LEN);
+
 		/* Inner hash: (K ^ IPAD) || data */
 		InitFn(ctx);
-		hmac_internal(ctx, res, UpdateFn, FinalizeFn, ses->hmac_key,
-		    0x36, crp->crp_buf, crd->crd_skip, crd->crd_len,
-		    crp->crp_flags);
+		hmac_internal(ctx, res, UpdateFn, FinalizeFn, hmac_key, 0x36,
+		    crp->crp_buf, crd->crd_skip, crd->crd_len, crp->crp_flags);
 		/* Outer hash: (K ^ OPAD) || inner hash */
 		InitFn(ctx);
-		hmac_internal(ctx, res, UpdateFn, FinalizeFn, ses->hmac_key,
-		    0x5C, res, 0, hashlen, 0);
+		hmac_internal(ctx, res, UpdateFn, FinalizeFn, hmac_key, 0x5C,
+		    res, 0, hashlen, 0);
 	} else {
 		InitFn(ctx);
 		crypto_apply(crp->crp_flags, crp->crp_buf, crd->crd_skip,
--- sys/crypto/aesni/aesni.h.orig
+++ sys/crypto/aesni/aesni.h
@@ -52,12 +52,14 @@
 #define	AES256_ROUNDS	14
 #define	AES_SCHED_LEN	((AES256_ROUNDS + 1) * AES_BLOCK_LEN)
 
+/* SHA1, SHA2-224 and SHA2-256 only. */
+#define	AESNI_SHA_BLOCK_LEN	64
+
 struct aesni_session {
 	uint8_t enc_schedule[AES_SCHED_LEN] __aligned(16);
 	uint8_t dec_schedule[AES_SCHED_LEN] __aligned(16);
 	uint8_t xts_schedule[AES_SCHED_LEN] __aligned(16);
-	/* Same as the SHA256 Blocksize. */
-	uint8_t hmac_key[SHA1_BLOCK_LEN] __aligned(16);
+	uint8_t hmac_key[AESNI_SHA_BLOCK_LEN];
 	int algo;
 	int rounds;
 	/* uint8_t *ses_ictx; */
